full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] [OpenID] OpenID/Debian

Re: [Full-disclosure] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory

From: Ben Laurie <benl_at_nospam>
Date: Fri Aug 08 2008 - 14:51:34 GMT
To: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@startcom.org>

On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg@startcom.org> wrote:
> This affects any web site and service provider of various natures. It's not
> exclusive for OpenID nor for any other protocol / standard / service! It may
> affect an OpenID provider if it uses a compromised key in combination with
> unpatched DNS servers. I don't understand why OpenID is singled out, since
> it can potentially affect any web site including Google's various services
> (if Google would have used Debian systems to create their private keys).

OpenID is "singled out" because I am not talking about a potential problem but an actual problem.

We have spotted other actual problems in other services. Details will be forthcoming at appropriate times.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/